mirrors/scylladb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
293cf355df875f1c66fb2b8abe04b9bd9b2aea17
scylladb/docs/operating-scylla/security/runtime-authentication.rst
Anna Stuchlik a3481a4566 doc: document the system_auth_v2 feature 
This commit includes updates related to replacing system_auth with system_auth_v2.

- The keyspace name system_auth is renamed to system_auth_v2.
- The procedures are updated to account for system_auth_v2.
- No longer required system_auth RF changes are removed from procedures.
- The information is added that if the consistent topology updates feature
  was not enabled upon upgrade from 5.4, there are limitations or additional
  steps to do (depending on the procedure).
  The files with that kind of information are to be found in _common folders
  and included as needed.
- The upgrade guide has been updated to reflect system_auth_v2 and related impacts.

Closes scylladb/scylladb#18077
2024-04-18 18:33:49 +02:00

113 lines
4.5 KiB
ReStructuredText
Raw Blame History

Enable and Disable Authentication Without Downtime
==================================================
.. scylladb_include_flag:: upgrade-note-runtime-authentication.rst
Authentication is the process where login accounts and their passwords are verified, and the user is allowed access into the database. Authentication is done internally within Scylla and is not done with a third party. Users and passwords are created with :doc:`roles </operating-scylla/security/authorization>` using a ``CREATE ROLE`` statement. This procedure enables Authentication on the Scylla servers using a transit state, allowing clients to work with or without Authentication at the same time. In this state, you can update the clients (application using Scylla/Apache Cassandra drivers) one at the time. Once all the clients are using Authentication, you can enforce Authentication on all Scylla nodes as well. If you would rather perform a faster authentication procedure where all clients (application using Scylla/Apache Cassandra drivers) will stop working until they are updated to work with Authentication, refer to :doc:`Enable Authentication </operating-scylla/security/runtime-authentication>`.
Enable Authentication Without Downtime
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This procedure allows you to enable authentication on a live Scylla cluster without downtime.
Procedure
---------
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: AllowAllAuthenticator`` to ``authenticator: com.scylladb.auth.TransitionalAuthenticator``.
.. code-block:: yaml
authenticator: com.scylladb.auth.TransitionalAuthenticator
#. Run the :doc:`nodetool drain </operating-scylla/nodetool-commands/drain>` command (Scylla stops listening to its connections from the client and other nodes).
#. Restart the nodes one by one to apply the effect.
.. include:: /rst_include/scylla-commands-restart-index.rst
#. Login with the default superuser credentials and create an authenticated user with strong password.
For example:
.. code-block:: cql
cqlsh -ucassandra -pcassandra
cassandra@cqlsh> CREATE ROLE scylla WITH PASSWORD = '123456' AND LOGIN = true AND SUPERUSER = true;
cassandra@cqlsh> LIST ROLES;
name |super
----------+-------
cassandra |True
scylla |True
Optionally, assign the role to your user. For example:
.. code-block:: cql
cassandra@cqlsh> GRANT scylla TO myuser
#. Login with the new user created and drop the superuser cassandra.
.. code-block:: cql
cqlsh -u scylla -p 123456
scylla@cqlsh> DROP ROLE cassandra;
scylla@cqlsh> LIST ROLES;
name |super
----------+-------
scylla |True
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: com.scylladb.auth.TransitionalAuthenticator`` to ``authenticator: PasswordAuthenticator``.
.. code-block:: yaml
authenticator: PasswordAuthenticator
#. Restart the nodes one by one to apply the effect.
.. include:: /rst_include/scylla-commands-restart-index.rst
#. Verify that all the client applications are working correctly with authentication enabled.
Disable Authentication Without Downtime
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This procedure allows you to disable authentication on a live Scylla cluster without downtime. Once disabled, you will have to re-enable authentication where required.
Procedure
---------
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: PasswordAuthenticator`` to ``authenticator: com.scylladb.auth.TransitionalAuthenticator``.
.. code-block:: yaml
authenticator: com.scylladb.auth.TransitionalAuthenticator
#. Restart the nodes one by one to apply the effect.
.. code-block:: shell
sudo systemctl restart scylla-server
#. Update the ``authenticator`` parameter in ``scylla.yaml`` for all the nodes in the cluster: Change ``authenticator: com.scylladb.auth.TransitionalAuthenticator`` to ``authenticator: AllowAllAuthenticator``.
.. code-block:: yaml
authenticator: AllowAllAuthenticator
#. Restart the nodes one by one to apply the effect.
.. include:: /rst_include/scylla-commands-restart-index.rst
#. Verify that all the client applications are working correctly with authentication disabled.
.. _runtime-authentication-upgrade-info:
.. scylladb_include_flag:: upgrade-warning-runtime-authentication.rst
Reference in New Issue View Git Blame Copy Permalink